GHSA-3hfj-qcvj-4hx8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3hfj-qcvj-4hx8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-3hfj-qcvj-4hx8/GHSA-3hfj-qcvj-4hx8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3hfj-qcvj-4hx8
- Published
- 2025-02-21T23:53:22Z
- Modified
- 2025-02-22T00:15:43.483074Z
- Severity
-
- 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Leantime has Missing Authorization Check for Host Parameter
- Details
-
Finding Description
Application has functionality for a user to view profile information. It does not have an implemented authorization check for "Host" parameter which allows a user to view profile information of another user by replacing "Host" parameter.
Impact
By exploiting this vulnerability an attacker can able to view profile information (but not anything else or change anything)
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-862" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2025-02-21T23:53:22Z" }- References
Affected packages
Packagist / leantime/leantime
Package
- Name
- leantime/leantime
- Purl
- pkg:composer/leantime/leantime
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.3
Affected versions
v2.*
v2.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.1-beta
v2.1-beta2
v2.1-beta3
v2.1-beta5
v2.1-beta6
v2.1
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.2.10
v2.2.11
v2.3.0-beta
v2.3.1-beta
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.17
v2.3.18
v2.3.19
v2.3.20
v2.3.21
v2.3.22
v2.3.23
v2.3.24
v2.3.25
v2.3.26
v2.3.27
2.*
2.4-beta
2.4-beta-7
2.4-beta-8
2.4
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.7
2.4.8
3.*
3.0.0-beta
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.1.0-beta
3.1.1
3.1.2
3.1.3
3.1.4
3.2.0-beta
3.2.0-beta-2
3.2.0
3.2.1